Latest Java Update Patches 37 Security Holes!


Java - LogoThe saga of Java and its inherent vulnerabilities goes on unabated. The latest Java update includes patches for no less than 37 security holes, and that’s just the ones that have been identified. I’d love to know just how many individual patches Oracle has released over the past couple of years in what is seemingly a futile attempt to shore up its seriously flawed software… the words “colander” and “sieve” spring to mind.

According to Oracle’s official announcement, 4 of the 37 Java vulnerabilities received a Common Vulnerability Scoring System (CVSS) rating of 10.0, the highest/most severe possible.

Another 37 Reasons Why You Should Junk Your Java

If you have not yet rid your machine of the threat magnet known as Java, I suggest you revisit an earlier article written by our very own fearless leader: You should junk your Java!

That is the best possible solution, but if you simply cannot live without Java, then at least make sure to get the latest update installed as soon as possible. For Java 7 (the version most users will have installed) this will be update 55. For the newer ‘feature release’ version Java 8 (which doesn’t support XP) it will be update 5.

You should be able to identify which Java version is installed on your machine by looking it up in the list of installed programs, in Windows 7 that would be Start>Control Panel>Programs and features.  Or via the Java Control Panel. If you’re still not sure which version is installed on your machine, you can double check it here: https://www.java.com/en/


java site

You can update the software via the Java Control Panel, see here for operating system specific guides: How do I enable and view the Java Console? or from https://www.java.com/en/.

*NOTE: Updating from within the Java Control Panel includes installation of the Ask Toolbar crapware by default, so make sure to deselect that option.

Also, here are two options persistent Java users might consider to help mitigate the risk:

For those users who may experience problems upgrading or removing Java, here is a link to a nice little freeware called JavaRA: http://singularlabs.com/software/javara/

JavaRa2

Update or remove, it’s entirely up to you, but please do one or the other, and soon.


 

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.

39 Comments

  1. Yet another “throw the baby out with the bathwater” article over Javaphobia.

    By the criteria used in this in this “article” all software should be junked:

    Microsoft pushes Windows updates the second Tuesday of EVERY month. There are rarely less than a dozen updates and the bulk of them pertain to security issues, flaws, holes and known exploits. Junk Java and Windows and to heck with all the business folks that depend on MS Products.

    Mac OS X is in it’s 9th iteration (OS 10.9) because of security issues, flaws, holes, known exploits and hardware compatibility scenarios. Furthermore, OS X is a Unix based Operating System and many attacks and exploits that are used against Unix boxes are also viable against Mac/Apple. Junk Java, Windows and Mac/Apple.

    Adobe updates Flash, Acrobat (including Reader), and all it’s other software so often it’s not funny. Adobe does that because of security issues, flaws, holes, and known exploits. Junk Java, Windows, Mac/Apple and anything that comes from Adobe.

    Linux is so easy to modify and exploit and so dynamic that plugging all the holes in Linux is humanly impossible. Linux has found it’s way into a lot of various devices because it’s free and easy to customize- meaning it’s cheap and makes those devices more competitive. Those devices do not update their Linux kernel on every new Linux release and often are not updated or updating at all. Linux isn’t just a fanboy OS, it’s in a lot of things and it’s not getting a lot of updating in those things. Junk Java, Windows, Mac/Apple, Adobe and Linux.

    I could go on but by now the point should be crystal clear regarding junking software just because it has flaws and needs updating.

    I’ve been in the IT industry over 30 years also. I didn’t go the TRS-80 & Commodore route, I was in the military in those days and my “high tech” in that capacity was a bolt action rifle with a very powerful scope mounted. When I got out of the military my first computer was an Epson computer (yes, Epson once made computers as well as printers) that ran the TPM-III Operating System.. It had a Titan DOS board in it to emulate MS-DOS so I could run either TPM-III or MS-DOS. I’m not bragging, I’m pointing out that my experience in the IT world isn’t trivial.

    These erudite pundit computer guru authors would serve their readership MUCH better if they wrote articles about why you should vigorously and religiously keep your software updated and then give detailed information on how to do that. Because Java isn’t going away and there are a lot of situations where it’s absolutely mission critical.

    Oh, and NO I am NOT confusing Java and Javascript just to make that clear…

    I cringe every time I see an article like this one. Seriously, it’s almost as if it’s “cool” and politically correct to flail on Java and give advice that is less than optimally useful. I’m not into conspiracy theories but in this one case it’s almost like there’s some sort of concerted hidden coordinated effort to destroy Java. Because people who advise tossing software that is as ubiquitous as Java rather than keep it updated are not giving the best advice at all.

    It would be a different matter if Oracle (they own Java) were not updating it when flaws, holes, and exploitable weaknesses were discovered. THEN getting rid of Java completely might have some real merits.

    • Hello CloaknDagr,

      While I agree with most of what you’re saying I also believe that Java is one of those platforms that just needs to go away. When examining the popular exploit kits Java and Acrobat exploits are generally their top targets – you have to ask yourself why that is. Combined with Java’s historically very poor update record, the fact that many businesses are stuck using unsupported Java versions for compatibility, and the average user who doesn’t even need to have it on their computer and you have a recipe for disaster. The premise of Java is sound. The implementation and coding… not so much.

      • Ok, so you agree with me but you don’t. Sounds awfully conflicted to me but hey, you can agreeably not agree all you like.

        Java is not going to “just go away”. Not anytime in the foreseeable future anyway. It doesn’t matter if you think it needs to go away, it doesn’t matter if I think it needs to stay, what matters is what drives the market and as long as Java is a competitive market compatible solution it’s going to be implemented.

        So saying that “Java just needs to go away” is superfluous and meaningless. It’s like saying “I wish it wouldn’t rain every time I wash my car”. You can say it but saying it accomplishes nothing and if you actually kept track of it you’d probably find that it doesn’t actually rain every time you wash your car.

        The thing about Java as it pertains to this article is that if you need it you can’t junk it, if you can junk it you didn’t need it anyway. It’s basically scare-fluff that serves no real purpose. Other than to be yet another throw the baby out with the bathwater Javaphobic screed.

      • what about programs the tell you that you MUST have java to view their page/site/ video or… whatever… ???

    • As long as you want to not confuse Java with Javascript, you may also want to not confuse Linux with an OS.
      “Linux isn’t just a fanboy OS.”

      But really the point, “I could go on but by now the point should be crystal clear regarding junking software just because it has flaws and needs updating.” is clear.

      It seems that as far as marketing strategy goes, it would almost be *better* for these guys if a company never updated their software. Or did so in smaller increments. It’s like it’s better to say you have no problems than acknowledge them and fix them.

      “Oh look, a Problem! Jump ship!”
      I’d rather a company fix their bugs/flaws, then pretend they don’t exist.
      I did notice that no bank was affected by the heartbleed bug. How true is that? Who knows….

    • Betty,
      Java is a programming platform that allows a programer to write software that will function on multiple platforms(phones, computers, smart devices, etc). It’s popularity has slowly declined because of poor security practices and better web technologies. Most users do not need Java and should (in our humble opinion) not install it.

    • Betty, if you don’t know what it is then it’s also very likely you don’t need it. You can safely uninstall it if it’s on your computer, if you need it for something you’ll get a “Java Not Installed” notification and you can go download and install it again.

      Java is used in a lot of things, not so much for web surfing anymore so if you have it installed you should have set it’s security slider to “High”.

      Java is used for the interface with routers and networking equipment, IP security cameras, firewall controls and other things. Java (and .NET) are used for a lot of business programming so in spite of what you may read Java isn’t going away anytime soon.

      PLEASE do NOT attempt to uninstall Java or anything else if it’s on your work computer, workstation, employer issued laptop or for that matter any other electronic gizmo, doodad, or gimcrack issued to you by an IT department through your employer. Your System Administrator makes those decisions and you could potentially get in a lot of hot water with your boss by fiddling with anything the IT people set up and issued to you.

  2. To be honest, I am almost relieved to be told that I should junk it, since I have spent most of the last two days trying to get it to work! I have tried installing and reinstalling, cleaning up old installations, JavaRa and just about anything I could find to try to get it recognised and to be able to open the Java Control Panel, which tries to open and then fails. I have had similar problems with previous updates and have become pretty fed up with it. I am still running XP, so I suppose I should be junking the computer too…

    • BAW30s-

      If Java is crashing then there’s an issue causing that, however … If you’re still running XP then you have a much bigger problem than Java. XP is “End of Life” and no longer supported by Microsoft. It had a good run and it was a great Operating System in it’s day but that day is over.

      Being “End of Life” means that ANY exploit, attack or vulnerability discovered by the bad guys since the last XP update will hit your computer with full force. You can count on a lot of attack dissemination because the bad guys know a lot of people will still be running XP even though it’s no longer supported and holes are no longer being plugged.

      This isn’t necessarily a failure on the part of Microsoft. There are literally tens to hundreds of thousands of lines of code that go into an Operating System including all the ancillary libraries etc. One weakness in any given line of code or line in a library (like .dll files) is enough to compromise a computer to a greater or lesser degree. Notice I said “weakness”, not “error”. It is not humanly possible to write all that code and get it to do all it needs to do without inadvertently including weak points security-wise.

      That XP or any other Operating System must come to a point where it is no longer supported is a given. It’s not economically feasible to support a piece of software indefinitely and that includes Operating Systems. You might as well blame Ford Motor Company for not making spare parts for Edsels anymore. It’s a market driven necessity.

      Programmers program for functionality, that’s their job. The bad guys program to attack weaknesses, that’s their job. It’s a constant battle that never ends but now no one is fighting on the side of the good guys and XP anymore.

      For your own sake and safety you really need to either replace your computer if it can’t run a more modern Operating System or if it can, then install something that is still being supported. Windows 7 will run on many computers that came with XP but meet the minimum system requirements for Windows 7. I run Windows 7 on a little netbook I use all the time and it has a little dual-core 1.66 GHz Intel Atom processor and 2 GB of RAM. It meets the minimum requirements barely and it’s not the fastest machine in the world but it does OK running the full Windows 7 Ultimate x64 OS.

    • Baw30s, I’d bet you a pound to a penny of salt that your machine could probably run at least Windows 7.
      Have a look at our forum, start a topic with your specs and let’s see.
      Cheers
      Marc

  3. Once again I’ve read all the “fors and againsts” regarding Java and I am still totally confused regarding what to do!
    Do I keep it, because I can’t download statements from my bank without it or do I delete it and have to keep on reloading it when I need it?
    Surely you whizkids out there can try and agree on something!

    • @John
      Are you sure it’s Java and not javascript – they sound similar but aren’t? If so, it’s a shame your bank puts you in that position! Your best option would be to run some type of virtual machine, but that’s above the ability of many. The second best option is to prevent java from integrating in the browser and only enable when needed.

      The funny thing is that Java provides instructions to do so on their site @ http://www.java.com/en/download/help/disable_browser.xml.

  4. I removed Java from both my laptops with Windows7. This was a couple of months ago and have had no issues whatsoever.

  5. That’s so funny. 37 security holes. Do you know how many holes are fixed in Windows with every update (or holes that remain open on MacOSX)? You get all those fixes for free, so what’s your point?

  6. Java will not go today (4/26/14) but may go someday or may be will be there forever like Cobol/mainframes (they are still around!! and IBM is making money selling mainframes!!!) Anyway 30 years from now if we hypothetically have a new language “X” that will also have security holes and would be requiring updates every so often. Since we have sophisticated “Anti Theft” systems and internet monitoring for our homes, does it mean there is no theft and stealing. Software security will always be there as long as software is there. You just have to plug the holes and be proactive. If Oracle is the owner if they are providing security patches in a timely fashion that would need to be addressed. Getting rid of Java !!! Sounds like, you are out if touch with the world we are living. As CloaknDagr pointed out then you have to get rid of all the software that is in existence today.

    Betty has asked “what is java”. I am sure she has been using a smart phone/laptop or some device at home/work everyday and has been using Java all the time. It is just that she is not aware.

  7. Because my Windows 8 Start-up had been so slow since having installed Microsoft Start 8, I uninstalled it, having mistakenly assumed that was the problem. When that did nothing, I rechecked my Add/Remove Programs list, and going on a hunch, removed the Java Updater. Lo and behold, problem solved!

    I say, unless one desperately needs Java for whatever application, get rid of it IMMEDIATELY! It was pretty much holding my PC hostage, with annoyingly recurring Java Update Popups! Who needs that garbage?

    Anyway, that’s my opinion!

    CHEERS!

    CHEERS!

  8. I removed Java for my laptop, and told my wife to only use hers when she goes to the Pogo game site. For some reason she needs it to play her games. Otherwise it’s gone from mine and only used on hers when she goes to the game site. everything else seems to work so far, and this was over a year ago.

  9. One thing:

    Minecraft

    So over 100M users are screwed??… Or is the use of Java in that different? It’s still online, however not used in a specific internet-browser. Though, it’s still installed into internet-browsers. Should I just deactivate it? Although, I’m not actually very worried about it with the security I have installed.

    • Over 15 years of removing malware from PCs, I cannot say I’ve ever run across an infected system due to a Java exploit. I’m not suggesting that it can’t happen, but from my experience chances are slim. If you need Java, keep it updated as quickly as possible, and keep your anti-malware programs up to date and scanning regularly. 🙂

  10. I think EVERYONE is missing the point. Yes Microsoft has security holes as does MAC OS. The point is why carry an UNNECESSARY plethora of additional security risks if it isn’t needed. Why go down a path where you know there are TEN people waiting to steal from you, if you know of an optional path that only has TWO people waiting to steal from you.

    The point is RISK mitigation. If you need JAVA, keep it, and keep it updated. If you don’t need it, then get rid of the additional RISKS.

    • You have summed up the situation succinctly and accurately, thank you Ken!

      The main message here is… if you don’t need Java you should consider getting rid of it altogether. What’s the point in keeping something which is not only vulnerable to exploitation but also superfluous to requirements. I thought the combined articles explained the situation quite clearly and adequately… apparently I was mistaken.

      Cheers… Jim

  11. Okay, for those of us who are a little knowledgeable (a little knowledge is a dangerous thing), and who may not know the difference between Java and Javascript, or who may not know whether we need it on our laptops/desktops (yes, many of us still use those dinosaurs)… what are the specific consequences of dumping Java? What significant/widely used programs won’t run/work right without it? And, more important, what alternatives to Java are there? (I think I know the answer to this last one, but I would like the opinion of someone else who knows more than I do.)

  12. “It’s popularity has slowly declined”? I run into and use Java on the internet every day. Just about every web site that has to deliver games or other active content cross platform uses it. That includes Facebook and just about all of the online game sites, such as Pogo and Big Fish.

    In yet another of these articles that preach that Java should be removed from computers, the pundit claimed that it isn’t used on many web sites anymore. My own observation is that it IS used on many of the web sites that get millions of users weekly, even though they may make up a very small percentage of the total number of sites on the Web.

    I’ll give you the challenge I gave him. If you think Java needs to be junked, then come up with something that does what Java does better than it does it. No one else ever has.

  13. Oracle makers of JAVA, received millions of dollars from the state of OR, was unable to deliver the product and finally the state gave up and is now trying to recover some of the money spent for COVER Oregon. I have to have JAVA for my work at home applications, I do keep it updated, but wish I did not have to have it. Please keep up the reporting of issues that may affect most internet users. I faithfully read each report and and find PC Pit Stop one of my favorite sites for up to date information and advice.
    Sincere thanks to all the staff at Pit Stop

  14. If your machine is not using Java … then even if it is installed you cannot be breached by it. If your machine is using Java … then you need it.

  15. Going back to the XP “End of Life” thing: is my machine at risk if I get sent something from someone who is still using XP? I run W7.

    • Bill-

      If you keep your W7 machine updated, keep your anti-malware updated and active, then no. A more likely consequence of someone not replacing XP is that they’ll get their machine hijacked, zombied, botted, keylogged, trojaned, etc. While XP machines may become a pool for maliciousness the bad guys know those machines are in a particularly vulnerable situation and will try to exploit those machines to use against their owners and/or appropriate them for the use of the bad guys.

      An example of the black hats using them against their owners would be to compromise the machine and put a keylogger on it, hoping to catch credit card or banking information, passwords, etc. Identity theft and electronic robbery are the big worries.

      Examples of the bad guys using them for their own purposes would be as storage and servers for malware, warez, illegal file sharing (like child porno), etc. Those machines can be used to hide the bad guys and create layers between themselves and the people seeking to bring them to justice. They might use them for DDOS attacks as zombie/bot nets or for pumping out Spam to the internet also.

      The thing that makes an end of life Operating System vulnerable doesn’t translate to a direct risk to your properly updated, security software protected W7 machine. The only proviso would be that those end of life systems are much more likely to become pools of foulness that promote criminality and generally detract from the internet overall.

      • One more thing about the XP end of life, you can bet your bottom dollar that the black hats have been sitting on a plethora of new exploits just waiting for that date to arrive before releasing any exploits. It would be idiotic to release any exploit while MS is still patching holes when all you have to do is wait a few more months…XP holdouts may be in for a virtual Tornado of problems headed their way. For you holdouts reading this, UPGRADE NOW! Not only do you make yourself more insecure, you can affect everyone else as any compromised machine is a potential threat to us all.
        BTW CloaknDagr, nicely done on pointing out your views, you bring some very valid points to the table.

  16. I just want to say, what a thoughtful, wonderful discussion, this whole topic has been. I have learned a lot, about Java, from this whole article and comments. I am a big gamer, not the LAN type of gamer, but, the Casual type of gamer and have found for me, that I do need to have Java, to play certain games. I do keep my Java updated and have both my Anti-Virus and Anti-Malware programs up to date and they scan, frequently. I have quick scans daily, with full scans weekly. To others, this may seem like “overkill”, but to me, this is reality, in keeping my Desktop PC working to it’s optimate potential.

    Like Jim Hillier, I have used the FREE versions of most good security programs, for years. It has only been within the past year, that I have bothered to purchase the Pro or Paid versions, of these FREE versions. I am 70 years old and needed to be able to do things, on a Schedule, not manually, anymore. After building from scratch, 12 desktop computers starting in my 50’s, and repairing most of my family and friends computers … I am tired and just want to enjoy, my own computer, without having to “think” about what I need to do daily, to keep it running smooth and free of stuff. So, for me … My decision made sense. I have had my years of “battling” the viruses, Trojan Horses, Worms and Spyware/Malware, but, have learned along the way … That an ounce of prevention, is well, worth more than a pound of cure!

  17. I always thought Java was necessary for most, if not all, internet activity. I do keep everything secure with top-rated freeware (and vigilance) and never have security problems. However I suppose I’ll have to upgrade from XP to Win7 sooner rather than later.
    Thanks, all, for the valuable discussion.

  18. I read all the comments here but no one has offer a real solution. First of all, someone here, if they know what is it that you need Java for should make a list.
    For example “browsing” with nay browser is Java needed?
    What do you use your computer for (excluding the internet to check email, etc that Java might needed):
    Do you use MS Word, Excel is Java needed yes or no.
    Do you watch a DVD do you need Java yes or no.
    In other words make a list of programs that need Java or not so people then can leave or remove Java.
    Most people use cell phones and when you drive under a bridge or a tunnel you might lose the connection or can hardly here the other party. If there is a solution for this someone needs to find it, if not you have to leave with it. This might not damage your phone unlike a computer but i think you get the point.
    It is difficult to prevent a runaway driver from entering a highway and cause a big problem.
    I still use Windows XP as mu main OS and have no problems (I also have Win7 and 8, plus Linux and a MAC) but I might add I am a computer technician and I take all the necessary precautions in case of an accident.

  19. I’m using Xtreme Download Manager as my video downloader and it won’t run without Java 6 or higher. I love XDM so I guess I am stuck with Java. I’m using both Win XP and elementary OS. I can’t totally get rid of XP coz it handles videos better than Linux. My system has only 1GB of RAM but XP can play HD videos smoothly. HD videos in eOS aren’t that smooth. When online using XP, I am very careful to stick with safe web sites. I have AdGuard installed so I don’t wander into rogue sites. Ocassionally, however, my registry still gets infected with PUP’s (such as autoupdate.exe & spigot). That’s what MBAM reports. Well, anyway, dangerous malware such as cryptolocker targets wealthy nations such as the US & Europe. For the rest of us, I believe that we are safe from targetted attacks.

  20. Re Java:
    According to your post Java version 8 should be on update 5. I have 8, update 31. Java says I have the latest version.